1 .TH IPSEC_SPIGRP 5 "27 Jun 2000"
3 .\" RCSID $Id: spigrp.5,v 1.5 2000/09/17 18:56:48 rgb Exp $
6 ipsec_spigrp \- list IPSEC Security Association groupings
12 .B /proc/net/ipsec_spigrp
15 .I /proc/net/ipsec_spigrp
16 is a read-only file that lists groups of IPSEC Security Associations
19 An entry in the IPSEC extended routing table can only point (via an
20 SAID) to one SA. If more than one transform must be applied to a given
21 type of packet, this can be accomplished by setting up several SAs with
22 the same destination address but potentially different SPIs and
23 protocols, and grouping them with
26 The SA groups are listed, one line per connection/group, as a sequence
27 of SAs to be applied (or that should have been applied, in the case of
28 an incoming packet) from inside to outside the packet. An SA is
29 identified by its SAID, which consists of protocol ("ah", "esp", "comp" or
30 "tun"), SPI (with '.' for IPv4 or ':' for IPv6 prefixed hexadecimal number ) and destination address
31 (IPv4 dotted quad or IPv6 coloned hex) prefixed by '@', in the format <proto><af><spi>@<dest>.
34 .B tun.3d0@192.168.2.110
35 .B comp.3d0@192.168.2.110
36 .B esp.187a101b@192.168.2.110
37 .B ah.187a101a@192.168.2.110
39 is a group of 3 SAs, destined for
41 with an IPv4-in-IPv4 tunnel SA applied first with an SPI of
43 in hexadecimal, followed by a Deflate compression header to compress
44 the packet with CPI of
46 in hexadecimal, followed by an Encapsulating Security Payload header to
47 encrypt the packet with SPI
49 in hexadecimal, followed by an Authentication Header to authenticate the
52 in hexadecimal, applied from inside to outside the packet. This could
53 be an incoming or outgoing group, depending on the address of the local
59 .B esp:187a101b@3049:1::2
60 .B ah:187a101a@3049:1::2
62 is a group of 3 SAs, destined for
64 with an IPv6-in-IPv6 tunnel SA applied first with an SPI of
66 in hexadecimal, followed by a Deflate compression header to compress
67 the packet with CPI of
69 in hexadecimal, followed by an Encapsulating Security Payload header to
70 encrypt the packet with SPI
72 in hexadecimal, followed by an Authentication Header to authenticate the
75 in hexadecimal, applied from inside to outside the packet. This could
76 be an incoming or outgoing group, depending on the address of the local
80 /proc/net/ipsec_spigrp, /usr/local/bin/ipsec
82 ipsec(8), ipsec_manual(8), ipsec_tncfg(5), ipsec_eroute(5),
83 ipsec_spi(5), ipsec_klipsdebug(5), ipsec_spigrp(8), ipsec_version(5),
86 Written for the Linux FreeS/WAN project
87 <http://www.freeswan.org/>
88 by Richard Guy Briggs.
92 .\" $Log: spigrp.5,v $
93 .\" Revision 1.5 2000/09/17 18:56:48 rgb
94 .\" Added IPCOMP support.
96 .\" Revision 1.4 2000/09/13 15:54:32 rgb
97 .\" Added Gerhard's ipv6 updates.
99 .\" Revision 1.3 2000/06/30 18:21:55 rgb
100 .\" Update SEE ALSO sections to include ipsec_version(5) and ipsec_pf_key(5)
101 .\" and correct FILES sections to no longer refer to /dev/ipsec which has
102 .\" been removed since PF_KEY does not use it.
104 .\" Revision 1.2 2000/06/28 12:44:12 henry
107 .\" Revision 1.1 2000/06/28 05:43:00 rgb
108 .\" Added manpages for all 5 klips utils.